You don’t need to be paranoid to be a chief information security officer, but it helps. Whether certifiably paranoid or, as the Woody Allen joke goes, just keenly observant, the chief security officer must tune into threats that others can’t see, quantify risks that others can’t fathom, and uncover weaknesses – in the company’s networks, systems, and business processes – that want to remain hidden.
It's a big job that requires a comprehensive plan, strong skills, and a good set of tools. The time and skills necessary for effective security assessment will never be free, but a terrific plan and excellent tools are readily available at no cost, courtesy of the open source community. I'm a big believer in tapping open source solutions whenever possible, but there is a catch. Open source is free in cost, but not free in time. Be prepared to spend time learning how to use open source tools and techniques properly.
An open source method
The open source testing framework I recommend is called the Open Source Security Testing Methodology Manual (OSSTMM). The brainchild of Pete Herzog and his legion of dedicated security testing professionals, this project is well supported by the open source community, and it continues to impress me with its documentation and approach. Providing specific testing objectives and procedures, the OSSTMM is the cookbook for using your tools, in what order and at what time.
The OSSTMM is not simply a penetration testing approach but a methodological framework. The methodology helps guide the planning of the security audit project and properly quantifying the results, and provides the rules of engagement for those performing the audit. It relies on best practices and a threats database as well as knowledge of the target organization to provide a broad view of the risks posed to the infrastructure of the enterprise. Most testing frameworks, such as ISO 27001 (formerly 17799), OCTAVE, COBIT, and ISM3, take an organizational approach to assessment and evaluation. The OSSTMM takes an operational view of enterprise risk.
The OSSTMM contains six testing modules, covering information security, process security, internetworking, communications systems, wireless networks, and physical security. Together, they offer testing methodology and guides to measuring risk to intellectual property, private information, and paper documents, to social engineering attacks, to routers, switches, and firewalls, to PBX's, voicemail, and faxes, to WLAN sniffing and surveillance, and to environmental dangers to buildings and the locks on the doors.
The OSSTMM manual provides a wide range of template documents for the conduct of tests involved in each of the six modules. This set of templates negates the need for supporting software in completing other testing frameworks such as ISO 27001 or COBIT. However, you may need training from ISECOM (the OSSTMM’s parent organization) in the best use of the templates and modules.
In this author’s estimation the true worth of this approach lies in the new “risk assessment values” (RAV) spreadsheet provided by the community. The spreadsheet is divided into the six operational areas and breaks down risk in each of these areas into a numerical value. All of these risk values are aggregated to provide an overall risk profile for the organization. Thus the OSSTMM provides an easy-to-use, consistent, and reliable process that leads you toward meaningful results that can be compared over time. I am always comfortable approaching management with the numbers produced from my OSSTMM tests and the RAV spreadsheet. Although based in Spain, the ISECOM organization provides global training courses and certifications. Just as the ISO 27001 and COBIT processes allow for test report validation, your OSSTMM reports may also receive certification.
A complete security testing toolbox
We’ve discussed the framework for conducting your penetration testing; now we move onto the basic toolbox for your testing. The tools below cover the information security, network, and wireless modules of the OSSTMM. You’ll need tools for testing servers and workstations, switches and routers, network protocols, wireless access points, Web servers, applications, and passwords, to name but a few. Because simple scanning does not meet the OSSTMM’s requirement for thoroughness, you’ll need exploit tools to verify potential vulnerabilities as well. My list of preferred tools is loosely based on the list of Top 100 Network Security Tools provided by Insecure.org. Compiled through a global poll of professional security testers, this list is reviewed and updated every two years, and I've come to rely on it as the basis for my personal toolbox.
The Sectools.org list shows whether the tool is either Linux/Unix or Windows based and whether it is open source or commercial software. When possible I like to use Windows tools. Don't get me wrong, I love Linux and use it all the time. I'm just lazy. If I don't have to switch between operating systems to conduct my testing, I'm happier. My management has an easier time understanding my reports if I can speak using an operating system they are familiar with.
Googleand Google Hacking Database
Google is a great tool for finding all kinds of information on the Web -- including information that shouldn't be there. In the context of the information security portion of the OSSTMM process, Google is used for both the competitive intelligence and privacy scans of your assets. Johnny Long made this method famous with his Google Hacking Database (GHD).
Using Google to find vulnerable machines attached to our network is always an eye-opening experience. Imagine finding a printer attached directly through your firewall to the Internet. Well, this happens far more often than you might believe. Johnny Long's Web site is the easiest place to learn how this process is done. Simply redirect the queries in the GHD to your IP address range. Then massage the queries to match your particular routers, switches, printers, and Web servers. Granted, this is tedious work in the beginning but will save you many hours of penetration testing time in the long-term.
The same techniques are used to find privacy data of your employees that may have leaked to the Internet from your network. This process is well refined for any network infrastructure and systems that face the Internet. Where it becomes really interesting is in finding your corporate intellectual property on the Internet... but that is a story for another day. This is the first tool my team uses as it offers high risk results first. A vulnerability that faces the Internet and is known by Google is one that requires immediate attention.
Nessus security scanner
After using Google to determine the types of hosts on your network, you should begin your testing with a general vulnerability assessment. The ideal tool for this job is Nessus. You’ll use the results from Nessus scans to guide all of your other testing. For example, if you find a Web server or application running on a host, you would use the potential vulnerabilities listed in the Nessus report as attack vectors for exploration or exploitation using Wikto or Metasploit.
The open source Nessus Project was begun in 1998 by Renaud Deraison to compete with the available commercial vulnerability scanners. Nessus is no longer open source, but remains available in a free version that rivals the best commercial alternatives. As a result, Nessus is found in the toolbox of both the well funded and cash strapped security organizations. The difference between the free product and the licensed commercial version of Nessus is how often vulnerability signatures are updated. If you want up-to-the-minute vulnerability updates then opt for the commercial license. If you don't mind waiting seven days for those same updates, then the free product will serve you well.
Nessus has both a Linux/Unix version and a new Windows version (see screen image). The Nessus system consists of a Nessus server, a client, Nessus plug-ins, and the knowledge base. The Windows version provides all these items in a single package, though using it in this fashion is not required.
Nessus tests all aspects of a target including the operating system, ports, services, and applications. Thus the reports may be lengthy but are comprehensive. You'll need to validate the findings as
Nessus, like other network scanners, is prone to false positives.
Wireshark packet analyzer
Formerly known as Ethereal, Wireshark is an exceptionally powerful protocol analyzer. It runs a wide range of operating systems and allows for live capture of network traffic and analysis of traffic captured from external sources. It offers a wide range of default protocol decoders and can parse out traffic threads with ease. The screen is broken into four main sections: the menu bar, the packet list (color coded area, see screen image), packet details (protocols and protocol fields), and lastly the packet bytes showing the raw data stream in both hexadecimal and ASCII formats. Wireshark's graphical analysis tools provide a clear picture when troubleshooting problems or looking for weaknesses during a penetration test.
You would normally use Wireshark as a host or subnet-specific testing tool. You could certainly use it to examine all network traffic flowing through a core router to the firewall, but that’s not likely to be as beneficial as testing communications of a specific host. I typically use Wireshark when looking for user authentication traffic to specific systems under test. I also use it when looking at potentially misconfigured application traffic as identified by Nessus or Wikto.
TCPDump network debugger
TCPDump and its Windows-based brother WinDump are the original packet capture utilities. They are identical in capability and are both actively supported. Both tools allow for the creation, injection, and capture of packets during a security test. Both are command line driven. The information provided is similar to that of Wireshark, and in fact the two may be used interchangeably (TCPDump data in Wireshark or the other way around).
TCPDump comes as a default installation with most *nix operating systems. WinDump requires the use of the Winpcap software for Windows to allow for packet capture. The Pcap software now allows for use with wireless capture as well. This is an old warhorse tool that continues to grow and change with the needs of the testing community.
Netcat network explorer
After you find vulnerabilities with Nessus or Wikto, you need to verify them through exploitation. After gaining a foothold with Metasploit, I’ll get a more permanent hold on the target system using Netcat.
Netcat is known as the network Swiss army knife of testing tools. A command line tool for reading and writing data across TCP and UDP connections, it can create nearly any connection needed in either direction, making it invaluable for exploring networks and servers during penetration testing. It is a perfect tool for setting up back doors and may be called from other programs. Thus your use of the tool may be automated or scripted. A wide range of Netcat derivatives now exist for specialized applications such as SSL or portable thumb drive based use.
Kismet wireless sniffer
Kismet, a powerful 802.11 (layer 2) wireless detection program, serves as your reconnaissance tool for wireless hosts. Kismet identifies potential wireless targets for exploitation. When viewing its logs, look first for access points that are not encrypted, and then for those using default configurations.
Unlike other wireless sniffers Kismet uses any wireless card that uses rfmon (raw monitoring) mode. This offers flexibility over other solutions. Kismet is capable of capturing both beaconing and nonbeaconing networks. The interface is neat and clean and allows for easy drill down for advanced information on a particular network. Its most interesting feature may be the ability to use Kismet with a GPS system to create maps of wireless networks.
Assuming that all of your wireless systems are using some type of encryption, you’ll need some way to crack them. The best method is to use TCPDump or WinDump to capture large amounts of traffic to the access point under test. You can then bring the resulting data set into Aircrack to attempt decryption of the communications to the access point.
Aircrack WLAN cracker
Aircrack is a password cracking program for use with both WEP and WPA networks. It needs a large enough database of packets from the target network for password cracking to begin. The four modules of this suite include airodump, a wireless packet capture utility; aireply, which performs packet injection for security testing; aircrack, which does password cracking using brute force and cryptographic methods; and airdecap, which decrypts WEP and WPA packet streams once the passwords are cracked.
Two new tools have been added to the suite recently that allow for encrypted packet creation and virtual tunnels. Aircrack may also be installed in a virtual machine.
Aircrack supports a wide range of wireless cards, though a new driver or patch may be required for your card. Combining both a Windows GUI and command line interfaces, Aircrack is nevertheless easy to navigate.
Aircrack is another tool that requires some time to master, but given the reliance of wireless networks in today's enterprise may prove invaluable to your team.
Cain and Abel password cracker
Cain and Abel is the top-ranked, Windows-specific password cracking tool for security testers. I think of this tool as my password cracker for a wide range of systems. After I’ve discovered a server via Nessus and broken in via Metasploit or Netcat, I’ll use Cain and Abel to break down the passwords to the operating system and applications.
Cain and Abel is well documented and supported by the community. It has a clean interface and provides for the cracking of a wide range of password types including Cisco, VNC, remote desktops, and many many more. It can do its cracking on the local machine or sniff passwords off the network via specific capture filters. Cain and Abel supports standard dictionary and brute force attacks as well as cryptanalysis attacks. It continues to evolve with the addition of VOIP and wireless password crackers. This tool has proved invaluable to my team for everything from a forgotten workstation password to forensic analysis.
Wikto Web server scanner
After finding a Web server using Nessus, you’ll want to run a Web server assessment tool against the system to find more specific security holes. A professional hammer for Web servers, Wikto is similar to the better-known Nikto Web server assessment tool. Both are well supported by the open source community with Wikto adding some extra functionality. For example, Wikto always starts with a Web scanning wizard (see screen image).
Wikto taps a vulnerability database specific to Web servers and associated elements (including Java apps, databases, forms, and images), and also makes full use of the Google Hacking Database. The Wikto spider crawls the target Web site and maps its directory structure, while the vulnerability scanner reviews possible security weaknesses. For vulnerability assessment, Wikto uses the Nikto vulnerability database. The one minor weakness is the use of the CSV format for exporting reports. CSV was never known as an easy way to view report data, though it gets the job done.
Metasploit exploit framework
Released in 2004, Metasploit is another must-have in your toolbox. Essentially a framework for building security tools and the exploits to launch with those tools, Metasploit is the easiest way to verify that a vulnerability identified by Nessus or Wikto is truly a security hole. Metasploit contains a module launcher to customize both the exploit and payload intended for a particular target. If the penetration is successful the tester is provided a shell to interact with the payload on the target system. There are around 350 different modules to choose from covering a wide range of hosts and operating systems. If the Metasploit repository doesn’t already have a canned exploit for the vulnerability in question, you can create one.
The true power of the framework is the ease of creation of new modules. Modules may be exploits, payloads, encoders, and no-ops. You can define an entirely new module or create variations of preexisting modules. Click for larger view. Documentation and forum support is broad, detailed, and comprehensive. Be prepared to spend some time learning the framework, but it will be time well spent.
A plan of action
Penetration testing is an invaluable process in assessing business risk via IT infrastructure. To make the process cohesive and efficient, however, you must put it in an organized system. I highly recommend using the OSSTMM framework to organize your testing and help you interpret the results. The OSSTMM covers several operational areas and provides templates and valuation of risk for each one.
Once the testing framework is in place you will need a wide range of tools for your toolbox. Vulnerability scanners, protocol analyzers, and wireless tools are but a few of the areas to consider. I have learned to trust the list at Sectools.org to provide most of the tools in my toolbox. Lastly, don't forget about researching the target before the test. Using search engines, you can develop important insight into a target with fairly little effort. The information gained here may save you countless hours testing operating systems and applications that don't exist in the target area.